b"Audit of USAID\xe2\x80\x99s Information Technology\nInfrastructure\nAudit Report No. A-000-05-006-P\nFebruary 22, 2005\n\n\n\n\n                WASHINGTON, D.C.\n\x0c\x0c               OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFebruary 22, 2005\n\n\nMEMORANDUM\n\nFOR:          Acting Chief Information Officer, John Streufert\n              Chief Financial Officer, Lisa Fiely\n\nFROM:         IG/A/ITSA, Melinda G. Dempsey /s/\n\nSUBJECT:      Audit of USAID\xe2\x80\x99s Information Technology Infrastructure (Report\n              No. A-000-05-006-P)\n\nThis memorandum transmits our final report on the subject audit. In finalizing the\nreport, we considered your comments on our draft report and have included them\nin their entirety as Appendix II.\n\nThe report contains nine recommendations for corrective action. Based on your\ncomments to our draft report, we consider that management decisions have been\nreached for Recommendation Nos. 1, 3, 4, 7, 8 and 9. For these recommendations,\nplease notify the Bureau for Management\xe2\x80\x99s Office of Management Planning and\nInnovation when final action is completed.\n\nBased on our evaluation of your comments and all supporting documentation\nprovided, we consider that final action has occurred on Recommendation Nos. 2,\n5, and 6.\n\nI want to express my sincere appreciation for the cooperation and courtesies\nextended to my staff during this audit.\n\n\n\n\n                    1300 PENNSYLVANIA AVE., NW\n                      WASHINGTON, DC 20523\n\x0c(This page intentionally left blank)\n\n\n\n\n                                       2\n\x0cTable of   Summary of Results ................................................................................................. 5\nContents\n           Background .............................................................................................................. 6\n\n           Audit Objective ........................................................................................................ 7\n\n           Audit Findings.......................................................................................................... 8\n\n                      Does USAID have a capable information technology\n                      infrastructure that supplies reliable interconnectivity between\n                      USAID/Washington and overseas missions to effectively\n                      support Phoenix? ...........................................................................................7\n\n                                 USAID\xe2\x80\x99s Network Performance Falls Short in AFR\n                                 and ANE Regions..............................................................................9\n\n                                 Information Resources Management Strategic Plan\n                                 Outdated ..........................................................................................16\n\n                                 Network Performance Standards and Processes\n                                 Needed.............................................................................................18\n\n                                 Phoenix Application Performance Goals Needed ...........................21\n\n                                 Phoenix Project Needs Contingency Plan For Slow\n                                 Network Connectivity .....................................................................22\n           Evaluation of Management Comments .................................................................. 24\n\n           Appendix I \xe2\x80\x93 Scope and Methodology................................................................... 25\n\n           Appendix II \xe2\x80\x93 Management Comments ................................................................. 27\n\n           Appendix III \xe2\x80\x93 USAID\xe2\x80\x99s WAN Performance ........................................................ 31\n\n\n\n\n                                                                                                                                    3\n\x0c(This page intentionally left blank)\n\n\n\n\n                                       4\n\x0cSummary of   The Information Technology and Special Audits Division of the Office of Inspector\nResults      General in Washington, D.C. has completed an audit to determine whether the U.S.\n             Agency for International Development (USAID) has a capable information\n             technology (IT) infrastructure that supplies reliable1 interconnectivity between\n             USAID/Washington and overseas missions to effectively2 support USAID\xe2\x80\x99s new\n             core financial system known as Phoenix.3 This audit was a follow-on to the IT\n             telecommunications related concerns identified in the Phoenix Overseas\n             Deployment Pilot Observation at Egypt memorandum report.4 (See page 7)\n\n             The audit concluded that USAID has a capable IT infrastructure that supplies\n             reliable interconnectivity between USAID/Washington and most of USAID\xe2\x80\x99s\n             overseas missions in the Latin America and Caribbean (LAC) and Europe and\n             Eurasia (E&E) regions to effectively support Phoenix. However, interconnectivity\n             performance falls short at USAID\xe2\x80\x99s missions in the Asia and Near East (ANE) and\n             especially Africa (AFR) regions where telecommunications infrastructure is\n             inherently limited in lesser-developed or remote areas. Additionally, USAID\xe2\x80\x99s\n             aging IT infrastructure is a contributing factor to slow network and application\n             performance. (See page 8)\n\n             In conducting the audit, we also noted the following related issues: (1) USAID has\n             not documented its Information Resources Management Strategic Plan since May\n             2000. (See page 16); (2) USAID\xe2\x80\x99s Bureau of Management, Office of Information\n             Resources Management (M/IRM) does not have formal standards and processes in\n             place to measure performance of USAID\xe2\x80\x99s worldwide area network. (See page\n             18); (3) USAID does not have formal published standards or goals to measure the\n             performance of transaction response times in Phoenix for either\n             USAID/Washington or the missions. (See page 21); and (4) the Phoenix Overseas\n             Deployment (POD) project\xe2\x80\x99s technical contingency plan for slow network\n             connectivity or network disruptions is still under development and there is no\n             business contingency plan in place. (See page 22)\n\n             In their response to our draft report, USAID\xe2\x80\x99s Chief Information Officer and Chief\n             Financial Officer agreed with all nine recommendations. Based on our evaluation,\n             management decisions have been reached for Recommendation Nos. 1, 3, 4, 7, 8\n             and 9 and final action has occurred on Recommendation Nos. 2, 5, and 6. (See\n             page 24). Management comments are included in their entirety in Appendix II.\n\n\n\n             1\n               Reliable: consistent end-to-end network and hardware computing with minimal down time or\n             disruptions.\n             2\n               Effectively: actual computer processing (i.e., speed, accuracy) is acceptable, reasonable, and\n             consistent with industry standards.\n             3\n               At the time of the audit, the Phoenix system was based on CGI-AMS Momentum Financials\xc2\xae\n             version 3.7.4.\n             4\n               USAID OIG Report No. A-000-05-001-S, issued on October 13, 2004.\n\n\n\n                                                                                                           5\n\x0cBackground   USAID depends on its worldwide area network (WAN) IT infrastructure to\n             process, store, transfer, and share information in support of implementing\n             development programs. USAID/Washington and all USAID overseas missions\n             communicate with each other over the WAN, which is comprised of three network\n             paths:\n\n                     1. Diplomatic Telecommunications Service (DTS): a network\n                     system of interconnected secure data and voice circuits supporting\n                     foreign affairs agency headquarters in Washington and U.S.\n                     diplomatic missions abroad. The DTS Program Office (DTSPO) is\n                     jointly administered by the Department of State and other foreign\n                     affairs agencies to manage the global DTS network. Per\n                     Congressional mandate, DTSPO must provide responsive, reliable,\n                     secure and cost-effective telecommunications service to the foreign\n                     affairs community.\n\n                     2. Very Small Aperture Terminal (VSAT): a terrestrial station\n                     used in satellite communications of data, voice and video signals.\n                     Satellite technology is typically used where telecommunications\n                     infrastructure is inherently limited, such as in lesser-developed or\n                     remote areas. VSATs are used at missions where other network\n                     services do not meet USAID requirements and/or are not cost\n                     effective.\n\n                     3. Internet Service Provider (ISP)/Virtual Private Network\n                     (VPN): a network that uses the Internet as the medium for\n                     transporting data. VPNs use encryption and other security\n                     mechanisms to ensure that only authorized users can access the\n                     network and that the data cannot be intercepted.\n\n             In September 1999, USAID acquired a new core financial system\xe2\x80\x94CGI-American\n             Management Systems' Momentum Financials\xc2\xae (Momentum)\xe2\x80\x94a commercial off-\n             the-shelf (COTS) product. Momentum was configured to support USAID\n             requirements and renamed \xe2\x80\x9cPhoenix.\xe2\x80\x9d In December 2000, Phoenix was rolled out\n             to USAID/Washington. In 2004, Phoenix5 was piloted and rolled out to USAID\xe2\x80\x99s\n             accounting stations in Peru, Egypt, and Ghana and the Columbia and Nigeria client\n             missions of Peru and Ghana, respectively.\n\n\n\n\n             5\n                At the time of the audit, the Phoenix system was based on Momentum version 3.7.4, a\n             client/server type application. USAID is planning to upgrade this software to Momentum version\n             6.x in June 2005. While enhancements are provided with version 6.x, the primary difference is the\n             web-based browser environment. This upgrade will also enable integration with Momentum\n             Acquisitions\xc2\xae.\n\n\n\n                                                                                                            6\n\x0c                  In July 2004, the Office of Inspector General observed the Phoenix pilot\n                  deployment process conducted at USAID/Egypt. The observation raised concerns,\n                  among others, of slow system response times when processing transactions in\n                  Phoenix. The uncertainty of USAID\xe2\x80\x99s telecommunications infrastructure is a\n                  known risk associated with the Phoenix Overseas Deployment project. In the\n                  Phoenix Rollout Project Charter,6 the technology assumptions and risks state that\n                  the technical and communications infrastructure may not support Phoenix system\n                  requirements. It was also reported in several Phoenix Deployment meetings that\n                  USAID is relying on old hardware that may be unreliable to provide\n                  interconnectivity between USAID/Washington and overseas missions.\n\n                  In November 2004, the Phoenix Overseas Deployment project team updated the\n                  deployment schedule. The revised schedule accelerates the LAC deployment from\n                  April 2005 to February 2005 and will deploy Phoenix initially with Momentum\n                  version 3.7.4. Table 1 below shows the revised deployment schedule for all four\n                  regional bureaus:\n\n                  Table 1 \xe2\x80\x93 Revised Phoenix Overseas Deployment Schedule\n                      Regional Bureau                            Original Schedule       Revised Schedule\n                      Latin America and Caribbean (LAC)          April 2005              February 2005\n                      Upgrade Pilots, USAID/Washington, and      March 2005              June 2005\n                      LAC to Momentum 6.x\n                      Europe and Eurasia (E&E)                   August 2005             July 2005\n                      Asia and Near East (ANE)                   December 2005           December 2005\n                      Africa (AFR):\n                        North                                    June 2005               March 2006\n                        South                                    June 2005               April 2006\n\n\n\n\nAudit Objective This audit was a follow-on to the IT telecommunications related concerns\n                  identified in the Phoenix Overseas Deployment Pilot Observation at Egypt\n                  memorandum report.7 The audit was added to the Office of Inspector General\xe2\x80\x99s\n                  fiscal year 2005 audit plan to answer the following question:\n\n                            Does USAID have a capable information technology\n                            infrastructure that supplies reliable8 interconnectivity between\n                            USAID/Washington and overseas missions to effectively9\n                            support Phoenix?\n\n                  6\n                    Phoenix Rollout Project Charter, MST-PMO-004-CP-004-F00-IBM, dated 8/15/03.\n                  7\n                    USAID OIG Report No. A-000-05-001-S, issued on October 13, 2004.\n                  8\n                    Reliable: consistent end-to-end network and hardware computing with minimal down time or\n                  disruptions.\n                  9\n                    Effectively: actual computer processing (i.e., speed, accuracy) is acceptable, reasonable, and\n                  consistent with industry standards.\n\n\n\n                                                                                                                7\n\x0c                 Appendix I contains a discussion of the audit's scope and methodology.\n\n\nAudit Findings   USAID has a capable IT infrastructure that supplies reliable interconnectivity\n                 between USAID/Washington and most of USAID\xe2\x80\x99s overseas missions in the LAC\n                 and E&E regions to effectively support Phoenix. However, interconnectivity\n                 performance falls short at USAID\xe2\x80\x99s missions in the ANE and especially AFR\n                 regions where telecommunications infrastructure is inherently limited in lesser-\n                 developed or remote areas. Additionally, USAID\xe2\x80\x99s aging IT infrastructure is a\n                 contributing factor to slow network and application performance.\n\n                 Since 1999, security and telecommunications IT infrastructure has improved as a\n                 result of M/IRM\xe2\x80\x99s Wide Area Renovation Project. An analysis of USAID\xe2\x80\x99s\n                 interconnectivity between USAID/Washington and 45 designated overseas\n                 Phoenix missions10 (including the 5 deployed pilot missions) indicates that 20 of\n                 45 (44 percent) missions have the potential of achieving fast connectivity, when\n                 compared to industry trends under current \xe2\x80\x9cbest case\xe2\x80\x9d network conditions. From a\n                 regional standpoint, LAC performed the best followed by E&E. On average,\n                 USAID\xe2\x80\x99s network was up and running 99.7 percent at all 45 missions during\n                 October 2004, even at missions with slow network speeds.\n\n                 However, interconnectivity between USAID/Washington and the overseas\n                 missions in the ANE and AFR regions is the slowest among the 45 missions under\n                 current \xe2\x80\x9cbest case\xe2\x80\x9d conditions. Usually, missions located in these areas only have\n                 satellite technology available, which runs slower than other network paths. When\n                 technology catches-up in the lesser-developed or remote areas, interconnectivity\n                 performance should likely improve, but this is difficult to predict. In the\n                 meantime, USAID could improve several areas of its IT infrastructure and reduce\n                 the risk of poor interconnectivity between USAID/Washington and overseas\n                 missions by: (1) fine-tuning and/or replacing, if feasible, existing IT infrastructure\n                 equipment, especially in lesser-developed or remote areas where network\n                 performance falls short, (2) updating the Five-Year Information Resources\n                 Management Strategic Plan, (3) developing and implementing standards and\n                 processes for measuring and reporting on network performance, (4) developing\n                 and implementing formal performance goals and processes for application\n                 transaction response times, and (5) establishing a viable Phoenix Overseas\n                 Deployment project business contingency plan for slow network connectivity.\n\n                 Optimally, these improvements would be most effective if implemented prior to\n                 deploying Phoenix to the missions worldwide, but at a minimum, USAID should\n                 work on these improvements before deploying Phoenix to the ANE and AFR\n                 regions. These areas are discussed in detail below.\n\n\n                 10\n                   At the time of the audit, 45 overseas Mission Accounting Control System (MACS) and\n                 Controllers sites had been designated for Phoenix deployment.\n\n\n\n                                                                                                     8\n\x0cUSAID\xe2\x80\x99s Network Performance Falls\nShort in AFR and ANE Regions\n\n Summary: Interconnectivity performance between USAID/Washington and\n overseas missions varies by region. When compared to current industry trends,\n network performance is considered slow in the ANE and AFR regions, but\n medium to fast in the LAC and E&E regions. USAID\xe2\x80\x99s missions located in\n lesser-developed or remote areas are faced with limited telecommunications\n infrastructure and inherent technical constraints. Additionally, USAID\xe2\x80\x99s aging\n IT infrastructure is a contributing factor to slow network and application\n performance. As a result, USAID\xe2\x80\x99s network performance is sometimes slow\n and unfavorably impacts on Phoenix11 application performance.\n\nNetwork Performance Benchmarks \xe2\x80\x93 According to industry guidelines, network\nperformance can be analyzed using various measurement goals such as response\ntime, capacity (bandwidth), utilization, throughput, etc. Response time,12\nmeasured in terms of latency,13 is a performance goal that users care about the\nmost and is the focus of the analysis in this report. The actual latency of a data\npacket on the network is a combination of the time taken to traverse the distance\nand the time taken to process the packet at each of the routers along the\nconnection. Total network latency, calculated in milliseconds (ms), is called\nRound Trip Time (RTT).\n\nAccording to an industry leader in networking, any goals regarding latency must\ntake into account fundamental physics. Latency is relevant for all data\ntransmission technologies, but especially for satellite links and long terrestrial\ncables. Geostation satellites are in orbit above the earth at a height of about 24,000\nmiles. This long distance leads to a latency of about 270ms for an intercontinental\nsatellite hop. In the case of terrestrial cable connections, latency is about 1ms for\nevery 120 miles. As for router latency, this refers to the latency accrued when\nbridges, switches, and routers forward data. The latency depends on the speed of\nthe internal IT architecture equipment.\n\nFrom a user\xe2\x80\x99s perspective, waiting a long time for a computer system to respond\ncan be frustrating. For heavy transactional environments, long system response\ntimes significantly impact on worker productivity. Users recognize small changes\nin the expected response time. These experiences are relative to the baseline\nperformance users have come to expect from the applications they use. If their\n\n11\n   At the time of the audit, the Phoenix system was based on Momentum version 3.7.4. USAID is\nplanning to upgrade this software to Momentum version 6.x in June 2005. Performance data for\nthe future Momentum version 6.x was not available during the audit, thus it was not analyzed.\n12\n   Response time is the amount of time between a request for a network service and a response to\nthe request.\n13\n   Latency is generally the amount of time required for a data packet to traverse the network from\nsource to destination and refers to a delay factor that will inherently impact any transaction which\nuses that component.\n\n\n\n                                                                                                  9\n\x0ccurrent experience differs significantly from their expectations, support calls and\ncomplaints increase dramatically.\n\nReputable IT research firms such as Gartner, CAIDA, and FineGround have\nconducted extensive studies on RTT and latency in a WAN and internet\nenvironment. Those studies on latency industry trends provide an industry\nbenchmark for measuring USAID\xe2\x80\x99s network performance, as shown in Table 2\nbelow.\n\nTable 2 \xe2\x80\x93 Network Latency Industry Benchmark14\n RTT (ms)      Performance Value\n\n 0-300         Optimal network speed: Best connectivity. Highest application\n               performance and user productivity\n\n 301-599       Minimal acceptable network speed: Connectivity medium to slow. Relative\n               application performance reduced approaching the upper limit\n\n 600+          Slow network speed: Poor connectivity and high latency. Application\n               performance low and lost user productivity\n\n\n\nAnalysis of USAID\xe2\x80\x99s Network Performance \xe2\x80\x93 Each of the 45 designated\noverseas Phoenix missions15 (including the five pilot missions16) has a designated\nprimary and secondary network path. Those paths are either DTSPO, VSAT, or\nISP/VPN, depending on availability. Sorting USAID\xe2\x80\x99s network monitoring data\nfrom those missions by fastest available network path\xe2\x80\x94regardless of actual\nconfigured primary path at each mission\xe2\x80\x94showed that the ISP/VPN network path\nperformed the best and provided the potentially lowest latency of the three network\npaths. As shown in Figure 1 below, 20 of 45 (44 percent) missions have the\npotential of achieving fast connectivity of less than 300ms. However at the same\ntime, 16 of 45 (36 percent) missions have the potential of only achieving\nconnectivity of 600ms or more under current \xe2\x80\x9cbest case\xe2\x80\x9d conditions, which is\nconsidered slow according to industry trends.\n\n\n\n\n14\n   The data used in this table was obtained from Gartner, CAIDA, and FineGround and was not\naudited.\n15\n    At the time of the audit, 45 overseas Mission Accounting Control System (MACS) and\nControllers sites had been designated for Phoenix deployment.\n16\n   In 2004, Phoenix was piloted and rolled out to Peru, Egypt, and Ghana accounting stations and\nthe Columbia and Nigeria client missions of Peru and Ghana, respectively.\n\n\n\n                                                                                             10\n\x0c          Figure 1 \xe2\x80\x93 USAID\xe2\x80\x99s Network Performance: Best Case Scenario17\n\n     Figure 1 \xe2\x80\x93 USAID\xe2\x80\x99s     Network Performance: Best Case Scenario. This is\n                  I nterconnectivity between USAID/W and 45 Phoenix Missions\n     a pie graph showing interconnectivity between USAID/W and 45 Phoenix\n     Missions. The pie is comprised of three parts: (1) 0-300ms, 20 ISP/VPN\n     missions, 44 percent; (2) 301-599ms, 2 VSAT, 1 DTSPO, 6 ISP/VPN,\n     missions, 20 percent; and (3) 600+ms, 12 VSAT, 4 ISP/VPN missions, 36\n     percent. Chart legend: 0-300ms: Optimal network speed: best connectivity.\n                             600+m s\n     Highest application performance       and user productivity.    301-599ms:\n                             12 VSAT                            0-300m s\n     Minimal acceptable network\n                             4 ISP/VPNspeed: connectivity medium       to slow. Relative\n                                                                20 ISP/VPN\n     application performance 36%reduced approaching the upper   44% limit. 600+ms:\n                                          301- 599m s\n     Slow network speed: poor connectivity2 VSAT and high latency. Application\n                                          1 DTSPO\n     performance low and lost user productivity\n                                            6 ISP/VPN\n                                            20%\n\n\n\n\n            0-300ms: Optimal network speed: Best connectivity. Highest application\n            performance and user productivity\n\n            301-599ms: Minimal acceptable network speed: Connectivity medium to slow.\n            Relative application performance reduced approaching the upper limit\n\n            600+ms: Slow network speed: Poor connectivity and high latency. Application\n            performance low and lost user productivity\n\n\nAccording to USAID officials, ISP/VPN is becoming increasingly popular with\nmissions because of improved high speed service availability compared to DTSPO\nand VSAT. However, security and reliability of ISPs in certain lesser-developed\nor remote areas, such as in AFR and ANE are a concern. Therefore, speed is not\nalways the key factor when selecting a primary network path for a mission.\nM/IRM typically uses five factors when deciding on the primary network path for\na mission: availability, speed, reliability, security, and cost. M/IRM officials said\nthat the five factors must be balanced appropriately and these decisions are\nconstantly reevaluated to achieve the best possible outcome.\n\nFigure 2 below presents a view of connectivity performance by regional bureau.\nThe analysis shows that missions in LAC and E&E regions perform the best, while\nmissions in ANE and especially AFR regions have major performance challenges.\nIn the LAC region, 9 of 10 (90 percent) missions have the potential of achieving\nfast connectivity performance of 300ms or less. Meanwhile, in the AFR region, 10\n\n\n17\n  The amounts presented in this graph were provided by M/IRM\xe2\x80\x99s Enterprise Network Monitoring\nService (ENMS) and its process for compiling the amounts was audited. The network performance\ndata is comprised of average daily RTT readings in September and October 2004 for DTSPO and\nVSAT. For ISP/VPN, the RTT readings are the averages of one sample day in October and one\nsample day in November 2004.\n\n\n\n                                                                                           11\n\x0cof 16 (63 percent) missions face slow connectivity of 600ms or more. For details\nof all 45 missions, please refer to Appendix III.\n\n            Figure 2 \xe2\x80\x93 USAID\xe2\x80\x99s Network Performance by Regional Bureau18\n     Figure 2 \xe2\x80\x93 USAID\xe2\x80\x99s Network Performance by Regional Bureau.\n     This is a bar graph that presents a geographical view of the 45\n     Phoenix missions\xe2\x80\x99    connectivity\n                     Interconnectivity    performance\n                                       between          by 45\n                                               USAID/W and regional\n                                                              Phoenix bureau.\n                                                                      Missions Each\n     region is represented with a bar and each bar shows the quantity of\n     missions in each of the three\n                               1        RTT categories:\n                                                 2\n                                                              4\n                               LAC     E&E     ANE      AFR\n                                                                            10\n      0-300ms                    9       4      24        3\n      301-599ms\n            Missions\n                                 1       2       3        3 3\n      600+ms                       9     2       4       10\n                                 10      8      11       16                 3\n                                                 4\n                                                              4\n     Chart legend: 0-300ms: Optimal network speed: best connectivity.       3\n     Highest application performance and user productivity. 301-599ms:\n     Minimal acceptable network   LAC   speed:\n                                            E&Econnectivity\n                                                          ANE medium    AFRto slow.\n     Relative application performance Rreduced           approaching the upper limit.\n                                              egional Bureaus\n     600+ms: Slow network speed: poor connectivity and high latency.\n            0-300ms: Optimal network speed: Best connectivity. Highest application performance\n     Application\n     Applica tionuser\n            and    performance\n                      productivity   low and lost user productivity\n\n             301-599ms: Minimal acceptable network speed: Connectivity medium to slow.\n             Relative application performance reduced approaching the upper limit\n\n             600+ms: Slow network speed: Poor connectivity and high latency. Application\n             performance low and lost user productivity\n\n\n\nThe analysis of USAID\xe2\x80\x99s network performance by regional bureau is consistent\nwith a recent United Nations study19 that ranked 178 countries on Information and\nCommunication Technology (ICT). Lower ranked ICT countries are primarily\nlocated in Sub-Saharan Africa and Near East. Countries in the lower ranked\ncategory are the poorest in the world with the lowest levels of communications\ninfrastructure. Landlocked countries are at an even greater disadvantage since\ntheir international connectivity options are restricted to satellite.\n\nImpact of High Latency on Application Performance \xe2\x80\x93 An analysis of USAID\xe2\x80\x99s\nnetwork indicates that high latency impacts on Phoenix20 application performance.\n\n\n\n\n18\n   Ibid, Figure 1.\n19\n   The United Nation\xe2\x80\x99s International Telecommunication Union published the first global index to\nrank Information and Communication Technology of 178 countries on November 19, 2003.\n20\n   The analysis is based on the current Phoenix software\xe2\x80\x94Momentum version 3.7.4. Performance\ndata for the future Momentum version 6.x was not available during the audit, thus it was not\nanalyzed.\n\n\n\n                                                                                                 12\n\x0cLogfile21 data that was collected for about three months at selected Phoenix pilot\n              TP    PT\n\n\n\n\noverseas missions shows that Phoenix pilot users experienced long wait-times for\ncertain transactions. For example, USAID/Nigeria experienced some of the\nslowest times among the five pilot missions. The \xe2\x80\x9cverify\xe2\x80\x9d transaction times ranged\nfrom about 1 minute to over 3 minutes and users reported that the system had been\nslow, much slower than ever before. Phoenix occasionally froze or users were\nblocked out and they had to exit Phoenix through task manager. USAID/Ghana\nalso experienced wait-times of over 2 minutes on certain transactions.\n\nAccording to recent industry studies,22 an average transaction response time range\n                                                                         TP   PT\n\n\n\n\nof 6 to 10 seconds is a reasonable \xe2\x80\x9crule of thumb\xe2\x80\x9d benchmark for Enterprise\nResource Planning type applications (similar to Phoenix), in consideration of\nvarious RTTs and network environments. Additionally, FineGround\xe2\x80\x99s research\ncorrelated the impact of high latency on application performance. Figure 3 below\nshows the correlation of application response times from a leading online banking\nsite across a range of various network latencies.\n\n                   Figure 3 \xe2\x80\x93 Correlation of Latency and Application Performance23                                   TP   PT\n\n\n\n\n          Figure 3 \xe2\x80\x9325Correlation of Latency and Application Performance. This is\n          a line graph that shows the correlation of application response times\n                                                                          21.7 from a\n                         Response Time (secs)\n\n\n\n\n                     20\n          leading online banking site across a range of various network\n                                                                   18.4  latencies.\n                                                15                                          15.1\n           X Axis:\n           Latency                                                                 11.8\n                   10\n           (ms)       40                             90    200     300\n                                                                     8.3 400         500    600\n                                                5         5.8\n           Y Axis:          2.5\n           Response 0\n                          \xe2\x80\xab\xd8\xa7\xe2\x80\xac\n           time\n                      0 40 100                                     200        300         400      500   600   700\n           (secs)     2.5 5.8 8.3                                 11.8   15.1       18.4    21.7\n                                                                Wide Area Network Latency RTT (ms)\n\n\nAs shown in Figure 3, application performance degrades rapidly with latency. For\nexample, response time with 300ms of latency is almost 5 times more than\nresponse time with 40ms of latency.\n\nIn April 2004, the Program Management Office identified 33 risks for the Phoenix\nOverseas Deployment project. One of the risks identified is related to poor\ntelecommunications and interconnectivity between USAID/Washington and the\n\n\n21\nTP Logfile data comes from the monitoring feature in Momentum 3.7.4 (Phoenix) for selected users\n     PT\n\n\n\n\nat the 5 pilot missions and USAID/Washington to collect actual transaction response time data from\nSeptember through November 2004.\n22\nTP Recent industry studies published by FineGround and Publications & Communications, Inc.\n     PT\n\n\n\n\n23\nTP The data presented in this graph was obtained from FineGround and was not audited. The Office\n     PT\n\n\n\n\nof Inspector General resident statistician used regression analysis to estimate application response\ntimes for RTT between 300 and 600ms.\n\n\n\n                                                                                                                               13\n\x0coverseas missions. The implementation of applet24 technology was identified as a\ntechnical risk mitigation strategy to ensure that a working interface to Phoenix is\navailable in all sites, in cases where available telecommunications cannot support\nthe Phoenix application. The applet technology (eFIX) that was designed as a\nPhoenix Overseas Deployment technical risk mitigation strategy has not yet\nachieved consensus that the types of transactions eFIX can process are sufficient to\nbe a practical solution for USAID missions likely to experience latency problems.\nThis is described further on page 22 of this report.\n\nAccording to Gartner, greater reliance on new, inefficient protocols,25 combined\nwith increasing global requirements, will result in applications that will not meet\neven minimum user expectations, resulting in lost user productivity. Gartner\xe2\x80\x99s\nresearch suggests that 90 percent of networks that do not address latency issues\nwill not meet business-critical application service levels through 2007 (0.8\nprobability). Distance and the speed of light are two contributors to latency that\ncannot be optimized; therefore, Gartner recommends that network managers look\nat alternative fine-tuning options for dealing with these limitations.\n\nImpact of Aging IT Infrastructure \xe2\x80\x93 USAID\xe2\x80\x99s aging IT infrastructure is a\ncontributing factor to slow network and application performance. Many IT\nequipment items are near, have reached, or exceeded their serviceable lifespan.\nAlthough M/IRM\xe2\x80\x99s Wide Area Renovation Project that was initiated in 1999 had\nsignificantly improved security and telecommunications IT infrastructure at 84\nmissions, some equipment items are considered already obsolete and no longer\nsupported by the manufacturer, according to M/IRM documents. As a result of\nUSAID\xe2\x80\x99s lack of operating expense funds and lack of funding for technical\nupgrades for the past several years, much of the IT infrastructure is older than\nindustry standard life cycles would typically allow. Because of the aging of the\ninfrastructure, maintenance is more difficult and expensive, failures are more\nfrequent, and securing the infrastructure components is more difficult.\n\nIn September 2004, M/IRM published its Technology Refresh Plan (the plan) to\npresent recommendations for the procurement and implementation of new\ntechnology components and processes for USAID. The plan focused on funding\nfor planning, acquisition, and deployment of worldwide IT infrastructure technical\nupgrades for many categories of equipment to bring USAID up to state-of-the-art\nequipment standards in both headquarters and missions. This plan states that it\nwill improve the functioning of USAID\xe2\x80\x99s IT systems in support of efficiency of\nUSAID staff and also in support of collaboration with the Department of State in\nconverging the two organizations\xe2\x80\x99 networks. The plan expands on short and long-\n24\n   An applet is a program written in the Java programming language that can be included in an\nHTML page, much in the same way an image is included.\n25\n   A protocol is an agreed-upon format for transmitting data between two devices. There are a\nvariety of standard protocols from which programmers can choose. Each has particular advantages\nand disadvantages; for example, some are simpler than others, some are more reliable, and some\nare faster.\n\n\n\n                                                                                            14\n\x0c term initiatives focusing on those that are important to initiate over the next 12 to\n 24 month period. The plan outlines and prioritizes 15 areas where IT\n infrastructure should be upgraded and highlights the risks of not upgrading and\n that \xe2\x80\x9cthe greater danger lies in waiting and doing nothing.\xe2\x80\x9d\n\n Further, a recent study on USAID\xe2\x80\x99s IT infrastructure26 reported that USAID\xe2\x80\x99s\n current process of deferring spending and the postponement of the implementation\n of a sound and integrated information technology architecture are in direct\n contradiction to the mandates of the Information Technology Management Reform\n Act and the Clinger-Cohen Act. The study warns if USAID continues in the\n current mode of only replacing systems when they cease to function or when\n absolutely necessary to maintain required functionality, the continual aging and\n diversity will lead to catastrophic collapses and/or sky rocketing support costs and\n service interruptions over the next 12 to 36 months, jeopardizing the key USAID\n mission. The study suggests, in part, that USAID establish a plan to systematically\n upgrade critical infrastructure to a common, industry-standard platform,\n maximizing the potential to leverage other compatible government and private\n sector initiatives, such as those under way at the Department of State and in private\n technology providers.\n\n In sum, USAID\xe2\x80\x99s IT infrastructure in missions located in lesser-developed or\n remote areas are faced with limited telecommunications infrastructure and inherent\n technical constraints. Additionally, USAID\xe2\x80\x99s aging IT infrastructure is a\n contributing factor to slow network and application performance. Consequently,\n USAID\xe2\x80\x99s network performance falls below industry benchmarks in these areas and\n our analysis shows that slow network speed unfavorably impacts on application\n performance, such as with Phoenix.\n\n         Recommendation No. 1:      We recommend that USAID\xe2\x80\x99s\n         Director, Office of Information Resources Management,\n         implement a process to continuously monitor and improve\n         network protocol settings and fine-tune and/or replace, if\n         feasible, existing information technology infrastructure\n         equipment in support of the Phoenix Overseas Deployment\n         project.\n\n         Recommendation No. 2:          We recommend that USAID\xe2\x80\x99s\n         Director, Office of Information Resources Management,\n         implement a process to periodically identify alternate sources of\n         telecommunications      service   providers     and     emerging\n         technologies, especially in lesser-developed or remote areas\n         where telecommunications infrastructure is limited, such as in\n         the Africa and Asia and Near East regions to help improve\n\n26\n   Forrester Research, Inc., \xe2\x80\x9cAnalysis and Recommendations for USAID Infrastructure Refresh\xe2\x80\x9d\nJanuary 20, 2005.\n\n\n\n                                                                                         15\n\x0c       USAID\xe2\x80\x99s information technology infrastructure performance in\n       support of the Phoenix Overseas Deployment project.\n\nInformation Resources Management\nStrategic Plan Outdated\n\n Summary: USAID has not updated its five-year Information Resources\n Management (IRM) Strategic Plan since May 2000. USAID\xe2\x80\x99s Automated\n Directives System (ADS) 542.5.2 requires that the IRM Strategic Plan be\n updated annually. The primary reasons for deferring the IRM Strategic Plan\n were related to the unclear degree of joint IT initiatives between the Department\n of State and USAID and reorganization disruptions in the Bureau of\n Management. Nevertheless, without an updated IRM Strategic Plan, it will be\n difficult for USAID to focus on network connectivity performance challenges in\n support of the Phoenix Overseas Deployment project, as well as align its IT\n infrastructure to meet the joint Department of State/USAID's IT goals through\n effective information management.\n\nOffice of Management and Budget (OMB) Circular No. A-130, \xe2\x80\x9cManagement of\nFederal Information Resources,\xe2\x80\x9d establishes policy for the management of Federal\ninformation resources and includes procedural and analytic guidelines for\nimplementing specific aspects of these policies. The Circular states that in the\ncapital planning and investment control process, there are two separate and distinct\nplans that address IRM and IT planning requirements for the agency\xe2\x80\x94the IRM\nStrategic Plan and IT Capital Plan. The IRM Strategic Plan is strategic in nature\nand addresses all information resources management of the agency. Agencies must\ndevelop and maintain the agency IRM Strategic Plan as required by 44 U.S.C.\n3506 (b) (2). IRM Strategic Plans should support the agency Strategic Plan\nrequired in OMB Circular A-11, provide a description of how information\nresources management activities help accomplish agency missions, and ensure that\nIRM decisions are integrated with organizational planning, budget, procurement,\nfinancial management, human resources management, and program decisions. The\nIT Capital Plan is operational in nature, supports the goals and missions identified\nin the IRM Strategic Plan, is a living document, and must be updated twice yearly.\n\nFurther, ADS 542, \xe2\x80\x9cPlanning and Budgeting for IT Resources,\xe2\x80\x9d provides a\nframework and the essential procedures for planning and budgeting for\ninformation management and IT resources to carry out the Agency's mission,\ngoals, and objectives. Section 542.5.2 requires that an Agency-wide IRM Strategic\nPlan for the creation, collection, processing, transmission, use, storage,\ndissemination, and disposition of information be developed. It also states that the\nIRM strategic planning process shall support the Agency\xe2\x80\x99s current and future\nmission, program needs, and include participation from the Agency's bureaus,\nindependent offices, and missions. Additionally, the ADS states that the IRM\nStrategic Plan shall serve as the cornerstone for formulating the Agency-wide IRM\n\n\n\n                                                                                 16\n\x0cbudget submission to OMB. Section E542.5.2 requires, in part, that the IRM\nStrategic Plan be updated annually.\n\nThe purpose of the five-year IRM Strategic Plan is to provide a strategic plan\nbased on identified needs and priorities, and recognize the challenges USAID will\nface in the next five years. Although the strategic plan that was published in 2000\nhas not been recently updated, it does require USAID to have an effective IT\ninfrastructure, which is one of the named strategic objectives.\n\nAccording to USAID officials, updated formulation of the IRM Strategic Plan will\nnot be finished until around January 2005 because several on-going studies that\nwould serve as the foundation of the IRM Strategic Plan would not be ready until\nthen. The first draft IRM Strategic Plan is expected to be issued by the end of\nMarch 2005. The reasons for postponing the IRM Strategic Plan were: (1) the FY\n2004-2009 Department of State and USAID Strategic Plan discussed exploring\npotential joint initiatives, including joint IT initiatives, but the degree of\n\xe2\x80\x9cjointness\xe2\x80\x9d in IT initiatives was not made clear by senior management in both\nagencies and (2) a very slow reorganization of the Bureau of Management, which\ntook nearly two years to complete and, as such, was somewhat disruptive.\n\nIn April 2004, the Department of State issued its IT Strategic Plan Fiscal Years\n2006-2010 Goals Paper. The Goals Paper incorporates the FY 2004-2009\nDepartment of State and USAID Strategic Plan (Joint Strategic Plan) and provides\na high-level blueprint for using the Department\xe2\x80\x99s modern IT infrastructure to\ndeliver knowledge resources and IT services to State\xe2\x80\x99s diplomatic practitioners\noverseas and in the United States. The Joint Strategic Plan, which articulates the\nvision for integrating management structures between the organizations, explains\nthat the Department of State and USAID will:\n\n   \xe2\x80\xa2   Coordinate IT planning and common use of architecture and\n       infrastructure. The Department of State and USAID will develop\n       and implement a joint IT Strategic Plan to support common policy\n       objectives.\n\n   \xe2\x80\xa2   Develop and implement a joint Enterprise Architecture to guide\n       both organizations\xe2\x80\x99 future IT investments.\n\n   \xe2\x80\xa2   Work together to strengthen our IT Capital Planning process and\n       produce consolidated OMB business cases and Exhibit 300\n       submissions.\n\n   \xe2\x80\xa2   Develop a joint security architecture and a uniform and unified\n       certification and accreditation process.\n\n\n\n\n                                                                                17\n\x0cWithout an updated IRM Strategic Plan, it will be difficult for USAID to focus on\nnetwork connectivity performance challenges in support of the Phoenix Overseas\nDeployment project, as well as align its IT infrastructure to meet the joint\nDepartment of State/USAID's IT goals through effective information management.\n\n       Recommendation No. 3: We recommend that USAID\xe2\x80\x99s Chief\n       Information Officer update USAID\xe2\x80\x99s Information Resources\n       Management Strategic Plan to address the Agency\xe2\x80\x99s\n       information technology requirements, priorities, and\n       infrastructure challenges over the next five years and\n       information technology goals articulated in the State\n       Department's Information Technology Strategic Plan, Fiscal\n       Years 2006-2010, Goals Paper (which is based on the 2004-2009\n       Department of State and USAID Strategic Plan).\n\n       Recommendation No. 4: We recommend that USAID\xe2\x80\x99s Chief\n       Information Officer develop and implement a process to\n       annually update USAID's Information Resources Management\n       Strategic Plan.\n\nNetwork Performance Standards\nand Processes Needed\n\n Summary: M/IRM does not have formal standards and processes in place to\n measure performance of USAID\xe2\x80\x99s worldwide area network. Although M/IRM\n monitors the status of network connectivity on a daily basis for early-warning\n and diagnostic purposes, it does not have a process in place to measure network\n performance against established standards such as network Round Trip Time.\n Further, M/IRM does not separately monitor the ISP/VPN network path, which\n is becoming increasingly popular with missions because of improved high speed\n service availability compared to DTSPO and VSAT. ADS Section 549.3 states,\n in part, that M/IRM is responsible for monitoring network activities,\n documenting and logging connectivity, and measuring performance. Because of\n funding limitations and M/IRM not having established formal standards and\n processes for measuring performance of USAID\xe2\x80\x99s worldwide area network, it is\n difficult for M/IRM to fulfill its responsibility of providing a reliable, consistent,\n and cost-effective telecommunications network for USAID/Washington and all\n overseas locations worldwide in support of the Phoenix Overseas Deployment\n project.\n\nADS 549, \xe2\x80\x9cTelecommunications Management,\xe2\x80\x9d provides the framework and\nessential procedures for management and use of USAID\xe2\x80\x99s full range of\ntelecommunications services. According to Section 549.3, a Network Operations\nand Management Group within M/IRM is responsible for monitoring network\nactivities, documenting and logging connectivity, measuring performance, taking\n\n\n\n                                                                                     18\n\x0ccorrective action to maintain operational status, recommending and implementing\nnetwork enhancements (in cooperation with M/IRM, Information Policy and\nAdministration Division) and developing contingency plans. Further, Section\n549.5.4k states that M/IRM shall provide the tools for IT Specialists to perform\nbasic utilization reporting for their platforms and conduct periodic reviews on disk\nutilization, line activity, concentrator workload, server performance, and evaluate\nnew maintenance releases for the operating system software.\n\nIn early 2000, M/IRM implemented a system performance monitoring tool\n(Concord\xe2\x80\x99s eHealth) to collect availability and performance data from selected\ncritical systems such as Phoenix and Database servers. According to USAID\nofficials, the eHealth tool provides a full, accurate picture about key system\nperformance metrics\xe2\x80\x94including CPU, memory, disk, availability, and line\nutilization\xe2\x80\x94in an easy-to-understand, consistent format, regardless of the data\nsource. It also identifies systems and applications with performance problems and\nprovides a historical record of performance trends.\n\nAbout two years ago, M/IRM initiated monitoring of USAID\xe2\x80\x99s network\ninterconnectivity between USAID/Washington and the overseas missions. To\nestablish a network monitoring gauge, M/IRM collected data for several weeks,\nanalyzed it and determined that an appropriate high-end alert for network latency\nwas 3 seconds, which was based on how the network was performing at that time.\nUsing this gauge, M/IRM developed a network monitoring model to measure the\nnetwork status in USAID/Washington and the overseas missions, as shown in\nTable 3 below.\n\n       Table 3 \xe2\x80\x93 Network Monitoring Model\n        Color Code             Network Latency\n\n        1. Green               <= 1 second\n\n        2. Blue                >1 second <= 3 seconds\n\n        3. Violet              > 3 seconds\n\n\nRecognizing the need to monitor system performance at the Phoenix pilot missions\nin Egypt, Ghana, and Peru, M/IRM implemented Concord's Business Service\nConsole (BSC) in July 2004. Throughout the day, monitoring of activities and\nstatus of applications (Phoenix, Crystal Enterprise), systems (Phoenix Servers), or\nnetworks (DTSPO, ISP/VPN, and VSAT) can be done with the BSC tool. The\nBSC tool can drill down to obtain details about the problem and determine the\ncause. Using this information, M/IRM can determine how efficiently applications\nand systems are running, whether critical resources are available, and what\ncapacity planning initiatives make sense. However, due to funding limitations,\nM/IRM could only implement the BSC tool at the first three Phoenix pilot\nmissions.\n\n\n                                                                                 19\n\x0cAlthough M/IRM has implemented Concord\xe2\x80\x99s monitoring tools on a limited basis\nand actively monitors the status of USAID\xe2\x80\x99s network on a daily basis for early-\nwarning and diagnostic purposes and also, it does not have a process in place to\nmeasure network performance against established formal standards such as\nnetwork Round Trip Time. According to M/IRM officials, the current network\nmonitoring model (Table 3) was not intended to be a standard for measuring\nUSAID\xe2\x80\x99s network performance.\n\nFurther, M/IRM does not separately monitor or report on the ISP/VPN network\npath as it does with DTSPO and VSAT. As a result, regular statistical and\nmonitoring reports are not available for ISP/VPN as they are for the other network\npaths. Reporting for ISP/VPN is done on an ad hoc basis when requested. When\nM/IRM initiated network monitoring, it did not have a viable automated method to\ndetermine the network path (i.e., DTSPO, VSAT, and ISP/VPN) being used by a\nparticular mission at a particular time and M/IRM could not correlate this data\nback to make separate polling routines for each network path, which could have\ndifferent response time categories. However, according to M/IRM officials, this\ncapability is now available.\n\nWe also noted that M/IRM has not updated its network monitoring model to match\ntoday's network environment where network speeds are running in milliseconds.\nThe current network monitoring model categorizes network speeds in seconds\nrather than in milliseconds. The time categories that are currently being used to\nmonitor the network were based on capabilities from approximately two years ago\nwhen M/IRM first started monitoring USAID\xe2\x80\x99s WAN.\n\nWithout established goals, updated standards, and processes for measuring\nUSAID\xe2\x80\x99s network performance, it is difficult for M/IRM to fulfill its responsibility\nof providing a reliable, consistent, and cost-effective telecommunications network\nfor USAID/Washington and all overseas locations worldwide in support of the\nPhoenix Overseas Deployment project.\n\n       Recommendation No. 5:        We recommend that USAID\xe2\x80\x99s\n       Director, Office of Information Resources Management,\n       develop and implement goals, standards, and processes that are\n       consistent with industry best practices for measuring and\n       reporting on USAID\xe2\x80\x99s worldwide area network performance,\n       such as expanding the use of performance monitoring tools\n       agency wide.\n\n       Recommendation No. 6:       We recommend that USAID\xe2\x80\x99s\n       Director, Office of Information Resources Management,\n       implement a process to actively monitor and prepare\n       performance reports on the Internet Service Provider/Virtual\n       Private Network path.\n\n\n\n                                                                                 20\n\x0cPhoenix Application Performance\nGoals Needed\n\n Summary: USAID does not have formal published standards or goals to\n measure the performance of transaction response times in Phoenix for either\n USAID/Washington or the missions. According to the Joint Financial\n Management Improvement Program's (JFMIP)27 testing guidelines for\n commercial off-the-shelf (COTS) software, agencies need to assess the COTS\n computing performance in the agency\xe2\x80\x99s system environment for response time\n and transaction throughput capacity, especially when an agency has large\n volumes of transaction data. According to USAID officials, it would be difficult\n to apply a single standard or goal across all missions because the missions vary\n in size and telecommunications capability. Nonetheless, transaction response\n time is a thermometer of usability for users. Without formal goals and standards\n for measuring transaction response time in Phoenix, it is difficult for USAID to\n improve application performance and increase user productivity.\n\nAccording to JFMIP\xe2\x80\x99s \xe2\x80\x9cQualification Test Process\xe2\x80\x9d guidelines for COTS software,\nagencies need to assess the COTS computing performance in the agency\xe2\x80\x99s system\nenvironment for response time and transaction throughput capacity, especially\nwhen an agency has large volumes of transaction data. Further, OMB Circular\nNo. A-130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d states that an agency\nmust institute performance measures and management processes that monitor\nactual performance compared to expected results.\n\nUSAID\xe2\x80\x99s Phoenix Roll-out Technical Team (Phoenix Team) conducted extensive\ntesting and measured transaction response times at the five Phoenix pilot missions\nusing USAID/Washington as the baseline. However, the test results were not\nmeasured against published Agency standards or goals. Instead, the Phoenix Team\nused the assumption that USAID/Washington's performance is generally\nrecognized as an acceptable benchmark. According to USAID officials, it would\nbe difficult to apply a single standard or goal across all missions because the\nmissions vary in size and telecommunications capability. Therefore, USAID did\nnot quantify its \xe2\x80\x9cacceptable transaction response times\xe2\x80\x9d in Phoenix.\n\nAlthough applying a single standard or goal across all missions would be\nproblematic, establishing goals by region or some other reasonable means would\nbe beneficial. Transaction response time is a thermometer of usability for users.\nUsers perceive the data processing experience in terms of how quickly they are\nable to get the screen to update. Poor application performance harms staff\n\n27\n   Effective December 1, 2004, the Principals of the JFMIP voted to realign JFMIP\xe2\x80\x99s\nresponsibilities for financial management policy and oversight. Under the new structure, the\nJFMIP Program Management Office, which certifies financial management software, will report to\na new Chief Financial Officers Council committee to be chaired by the Chief of OMB\xe2\x80\x99s Office of\nFederal Financial Management, Federal Financial Systems Branch.\n\n\n\n                                                                                           21\n\x0cproductivity and is a major problem for organizations. Users waste time and get\nfrustrated waiting for applications to respond. Where performance is particularly\npoor, they will avoid using an application altogether, often reverting to manual\nprocesses to get the job done. Performance of networked applications depends on\ncomplex interactions among applications, servers, and networks. Organizations\nneed a detailed, quantitative understanding of these interactions to efficiently and\ncost-effectively troubleshoot and deploy applications. Without formal goals and\nstandards for measuring transaction response time in Phoenix, it is difficult for\nUSAID to improve application performance and increase user productivity.\n\n       Recommendation No. 7: We recommend that USAID\xe2\x80\x99s Chief\n       Financial Officer, in collaboration with the Chief Information\n       Officer and the Director, Office of Information Resources\n       Management, develop and implement formal performance goals\n       for transaction response times in Phoenix in all worldwide\n       locations.\n\n       Recommendation No. 8: We recommend that USAID\xe2\x80\x99s Chief\n       Financial Officer, in collaboration with the Chief Information\n       Officer and the Director, Office of Information Resources\n       Management, implement a process to actively monitor\n       transaction response times in Phoenix in all worldwide\n       locations.\n\nPhoenix Project Needs Contingency\nPlan for Slow Network Connectivity\n\n Summary: The Phoenix Overseas Deployment (POD) project\xe2\x80\x99s technical\n contingency plan for slow network connectivity or network disruptions is still\n under development and there is no business contingency plan in place.\n Appendix III of OMB Circular No. A-130 requires that application security plans\n include, in part, contingency planning to establish and periodically test the\n capability to perform the agency function supported by the application in the\n event of failure of its automated support. The applet technology (eFIX)\xe2\x80\x94in its\n present form\xe2\x80\x94represents a POD technical risk mitigation strategy; however\n because the types of transactions that eFIX can process is limited, eFIX is not a\n comprehensive business contingency plan. Additionally, eFIX will not be ready\n in time for the Phoenix deployment to LAC in February 2005. Without a viable\n business contingency plan, USAID is exposed to the risk of slow network\n connectivity and its negative impact on Phoenix application performance.\n\nAppendix III of OMB Circular No. A-130 establishes a minimum set of controls to\nbe included in Federal automated information security programs; assigns Federal\nagency responsibilities for the security of automated information; and links agency\nautomated information security programs and agency management control systems\n\n\n\n                                                                                 22\n\x0cestablished in accordance with OMB Circular No. A-123. For contingency\nplanning, the Appendix states that managers should plan for how they will perform\ntheir mission and/or recover from the loss of existing application support, whether\nthe loss is due to the inability of the application to function or a general support\nsystem failure.\n\nIn April 2004, the Program Management Office identified 33 risks for the POD\nproject. One of the risks identified is related to poor telecommunications and\ninterconnectivity between USAID/Washington and the overseas missions. The\nimplementation of the applet technology was identified as a technical risk\nmitigation strategy to ensure that a working interface to Phoenix is available in all\nsites, in cases where available telecommunications cannot support the Phoenix\napplication.      Further, having applet technology as an option (where\ntelecommunications is inadequate) will help ensure that USAID can achieve the\ngoal of a fully integrated core accounting system.\n\nWith the assistance of a contractor, M/IRM initiated the development of an applet\nsolution known as eFIX28 for Phoenix missions with telecommunications\nenvironments characterized by high latency and low reliability links. However, the\ntypes of transactions that eFIX can process is limited to only the most frequently-\nused transactions. Additionally, USAID officials have not yet achieved consensus\nthat the types of transactions eFIX can process are sufficient to be a practical\nsolution for USAID missions likely to experience latency problems. As a result,\neFIX does not represent a full business solution for USAID, especially in overseas\nmissions with large volumes of transactions. Further, eFIX is scheduled for testing\nin March 2005 and it will not be ready in time to support the Phoenix (Momentum\n3.7.4) rollout to LAC in February 2005.\n\nAs part of contingency planning, some USAID officials have discussed the\nconcept of \xe2\x80\x9cregionalizing\xe2\x80\x9d Phoenix in areas with network connectivity\nperformance challenges, such as in the AFR region. Under this concept, Phoenix\ntransaction processing at missions with very slow connectivity performance would\nbe moved to a mission in the region with fast connectivity performance until such\ntime when technology improves in the lesser-developed or remote areas.\nHowever, this concept has not been formalized as a business contingency plan.\n\nWithout a viable business contingency plan, USAID is exposed to the possible risk\nof slow network connectivity and its negative impact on Phoenix application\nperformance.\n\n\n\n28\n   eFIX will allow users to work with a local website and database to create and queue selected\ntransactions for submission to Phoenix. eFIX uses local Exchange and Outlook for transaction\nmanagement. eFIX works with a \xe2\x80\x9cwizard-like\xe2\x80\x9d interface to step the user through the submission\nprocess.\n\n\n\n                                                                                            23\n\x0c                       Recommendation No. 9: We recommend that USAID\xe2\x80\x99s Chief\n                       Financial Officer, in coordination with the Chief Information\n                       Systems Security Officer, develop, test, and implement a viable\n                       Phoenix Overseas Deployment project business contingency\n                       plan for slow network connectivity.\n\n\nEvaluation of   USAID\xe2\x80\x99s Acting Chief Information Officer and Chief Financial Officer prepared a\nManagement      consolidated written response to our draft report. In their response, they agreed\n                with all nine recommendations. We evaluated the comments, actions taken, and\nComments\n                documents prepared by USAID and consider that management decisions have been\n                reached for Recommendation Nos. 1, 3, 4, 7, 8 and 9 and consider that final action\n                has been completed on Recommendation Nos. 2, 5, and 6.\n\n                The consolidated written response is included in its entirety in Appendix II of this\n                report.\n\n\n\n\n                                                                                                 24\n\x0c                                                                                                Appendix I\n\n\nScope and     Scope\nMethodology\n              The Information Technology and Special Audits Division of the Office of\n              Inspector General in Washington, D.C. conducted this audit in accordance with\n              generally accepted government auditing standards. The purpose of the audit was\n              to determine whether USAID has a capable IT infrastructure that supplies reliable\n              interconnectivity between USAID/Washington and overseas missions to\n              effectively support Phoenix29.\n\n              Fieldwork for this audit was conducted at USAID\xe2\x80\x99s headquarters in Washington,\n              D.C., from October 27, 2004 to January 24, 2005. This audit was a follow-on to\n              the IT telecommunications related concerns identified in the Phoenix Overseas\n              Deployment Pilot Observation at Egypt memorandum report.30\n\n              Our audit focused on USAID\xe2\x80\x99s IT infrastructure and whether it supplies reliable\n              interconnectivity between USAID/Washington and overseas missions to\n              effectively support Phoenix. Accordingly, this audit assessed management\n              controls over that process. In addition, the audit assessed the validity and\n              reliability of M/IRM\xe2\x80\x99s computer-based data used in this report.\n\n              Methodology\n\n              To carryout the audit, we obtained an understanding of USAID\xe2\x80\x99s current IT\n              infrastructure, which included reviewing IT systems documentation, such as\n              baseline architecture reports. We examined documentation and records that\n              addressed plans for upgrading USAID\xe2\x80\x99s IT infrastructure, such as USAID\xe2\x80\x99s\n              strategic planning documents, joint Department of State and USAID Strategic\n              Planning documents, technology refresh plans, and capital asset plans.\n\n              In answering the audit objective, we researched and identified current industry\n              trends on WAN latency and performance, bandwidth, application response times,\n              and hardware configurations to use as a benchmark to measure the performance of\n              USAID's IT infrastructure. However, we focused our analysis only on network\n              latency, response time, and interconnectivity between USAID/Washington and\n              overseas missions in support of Phoenix. We assessed USAID\xe2\x80\x99s contingency\n              plans for addressing slow application performance of Phoenix and poor\n              interconnectivity between USAID/Washington and overseas missions. We also\n\n              29\n                 At the time of the audit, the Phoenix system was based on Momentum version 3.7.4, a\n              client/server type application. USAID is planning to upgrade this software to Momentum version\n              6.x in June 2005. While enhancements are provided with version 6.x, the primary difference is the\n              web-based browser environment. This upgrade will also enable integration with Momentum\n              Acquisitions\xc2\xae.\n              30\n                 USAID Report No. A-000-05-001-S, issued on October 13, 2004.\n\n\n\n\n                                                                                                            25\n\x0c                                                                      Appendix I\n\nexamined USAID\xe2\x80\x99s compliance with applicable laws, regulations, policies, and\nprocedures.\n\nIn addition, we interviewed responsible personnel in USAID\xe2\x80\x99s Bureau for\nManagement, including officials in the Office of the Chief Information Officer,\nOffice of Information Resources Management, Office of Financial Management,\nOffice of the Chief Financial Officer, and the Program Management Office, as\nwell as contractors.\n\nA materiality threshold was not established for this audit given the nature of the\naudit objective, which involved assessing USAID\xe2\x80\x99s IT infrastructure and its\ninterconnectivity between USAID/Washington and overseas missions.\n\n\n\n\n                                                                               26\n\x0c                                                                                  Appendix II\n\n\nManagement\nComments\n\n\n                     USAID Logo; From\n                     the American People\n                                                                       February 14, 2005\n\n             MEMORANDUM\n\n             TO:           IG/A/ITSA, Melinda G. Dempsey\n\n             FROM:         Acting Chief Information Officer, John Streufert /s/\n                           Chief Financial Officer, Lisa Fiely /s/\n\n             SUBJECT:      Draft Audit Report of USAID's Information               Technology\n                           Infrastructure, (Report No. A-000-05-00X-P)\n\n                    Thank you for the opportunity to respond to the subject draft report. We\n             appreciate your analysis on the IT infrastructure and your recommendations.\n\n\n             Draft Report Recommendations\n\n             Recommendation 1: We recommend that USAID\xe2\x80\x99s Director, Office of Information\n             Resources Management, implement a process to continuously monitor and\n             improve network protocol settings and fine-tune and/or replace, if feasible,\n             existing information technology infrastructure equipment in support of the Phoenix\n             Overseas Deployment project.\n\n             Management Decision: The IRM Director will define a technology refresh plan by\n             July 2005 and based on funds being provided for the plan, will begin implementing\n             by August 2005. IRM has established procedures to monitor the corporate circuits\n             over VSAT and DTS-PO. (August 2005)\n\n             Recommendation 2: We recommend that USAID\xe2\x80\x99s Director, Office of Information\n             Resources Management, implement a process to periodically identify alternate\n             sources of telecommunications service providers and emerging technologies,\n             especially in lesser-developed or remote areas where telecommunications\n             infrastructure is limited, such as in the Africa and Asia and Near East regions to\n             help improve USAID\xe2\x80\x99s information technology infrastructure performance in\n             support of the Phoenix Overseas Deployment project.\n\n\n\n                                                                                            27\n\x0c                                                                      Appendix II\n\n\nManagement Decision: IRM currently reviews sources of telecommunications\nservice on a mission-by-mission basis as part of ongoing operations activity and\npreparation for missions having Phoenix deployed and we will continue to do so.\nWe will also continue to coordinate with USAID missions, the Department of State\nand DTS-PO to share information about alternate service types/service providers in\nthe locations where the Agency requires service. (Completed)\n\nRecommendation 3: We recommend that USAID\xe2\x80\x99s Chief Information Officer\nupdate USAID\xe2\x80\x99s Information Resources Management Strategic Plan to address the\nAgency\xe2\x80\x99s information technology requirements, priorities, and infrastructure\nchallenges over the next five years and information technology goals articulated in\nthe State Department's Information Technology Strategic Plan, Fiscal Years 2006-\n2010, Goals Paper (which is based on the 2004-2009 Department of State and\nUSAID Strategic Plan).\n\nManagement Decision: The USAID CIO will update the USAID Information\nManagement Strategic plan. This plan will reflect the ongoing coordination and\njoint planning efforts between USAID and the Department of State. (August 2005)\n\nRecommendation 4: We recommend that USAID\xe2\x80\x99s Chief Information Officer\ndevelop and implement a process to annually update USAID's Information\nResources Management Strategic Plan.\n\nManagement Decision: The USAID CIO will establish a process to periodically\nupdate the USAID Information Management Strategic Plan. (August 2005) And\nwe will revise the ADS to read periodically.\n\nRecommendation 5: We recommend that USAID\xe2\x80\x99s Director, Office of Information\nResources Management, develop and implement goals, standards, and processes\nthat are consistent with industry best practices for measuring and reporting on\nUSAID\xe2\x80\x99s worldwide area network performance, such as expanding the use of\nperformance monitoring tools agency wide.\n\nManagement Decision: IRM has evaluated the current data we have on\nconnectivity and formalize standards for response times, bandwidth saturation, and\nerror rates; collects metrics in these categories by type of connectivity VSAT,\nDTS-PO, ISP; and set standards for connectivity. (Completed)\n\nRecommendation 6: We recommend that USAID\xe2\x80\x99s Director, Office of Information\nResources Management, implement a process to actively monitor and prepare\nperformance reports on the virtual private network/internet service provider\nnetwork path.\n\n\n\n\n                                                                                28\n\x0c                                                                      Appendix II\n\nManagement Decision: IRM has implemented a process to monitor and collect\nmetrics on VPN/ISP paths that are currently in use at USAID missions.\n(Completed)\n\nRecommendation 7: We recommend that USAID\xe2\x80\x99s Chief Financial Officer, in\ncollaboration with the Chief Information Officer and the Director, Office of\nInformation Resources Management, develop and implement formal performance\ngoals for transaction response times in Phoenix in all worldwide locations.\n\nManagement Decision: The Chief Financial Officer is currently collaborating with\nthe Chief Information Officer and the Director, Office of Information Resources\nManagement, on developing formal performance goals for Phoenix transaction\ntimes based on industry best-standards. These performance goals would apply to\nall missions that receive Phoenix. Once performance testing and user feedback at\nsome of the more technically-challenged missions is completed and performance\ngoals are established, the CFO\xe2\x80\x99s will implement worldwide performance goals.\n(November 2005)\n\nRecommendation 8: We recommend that USAID\xe2\x80\x99s Chief Financial Officer, in\ncollaboration with the Chief Information Officer and the Director, Office of\nInformation Resources Management, implement a process to actively monitor\ntransaction response times in Phoenix in all worldwide locations.\n\nManagement Decision: Once the performance goals for Phoenix transaction times,\nbased on industry best-standards, are established; the Chief Financial Officer, with\nconsultation from the Chief Information Officer, will implement a system to\nproactively monitor Phoenix response times in the overseas missions. (November\n2005)\n\nRecommendation 9: We recommend that USAID\xe2\x80\x99s Chief Financial Officer, in\ncoordination with the Chief Information Systems Security Officer, develop, test,\nand implement a viable Phoenix Overseas Deployment project business\ncontingency plan for slow network connectivity.\n\nManagement Decision: The Chief Financial Officer is currently coordinating with\nthe Chief Information Officer and the Director, Office of Information Resources\nManagement, in developing, testing and implementing a business contingency plan\nfor slow network connectivity. (November 2005)\n\n\n\n\n                                                                                 29\n\x0c(This page intentionally left blank)\n\n\n\n\n                                       30\n\x0c                                                                                                       Appendix III\n\n\n                                Interconnectivity between USAID/Washington and\nUSAID\xe2\x80\x99s WAN                    45 Phoenix Missions Average \xe2\x80\x9cBest Case\xe2\x80\x9d Rankings31\nPerformance                                                                               Avg Best   Best case\n                                                                               Regional\n                                    Mission Name                City Name                 Case RTT   network\n                                                                                Bureau\n                                                                                            (ms)       path\n\n                    1   El Salvador                           San Salvador       LAC         85      ISP/VPN\n                    2   Honduras                              Tegucigalpa        LAC         91      ISP/VPN\n                    3   Bosnia Herzegovina                    Sarajevo           E&E        115      ISP/VPN\n                    4   Guatemala                             Guatemala City     LAC        124      ISP/VPN\n                    5   Colombia (Pilot)                      Bogota             LAC        135      ISP/VPN\n                    6   RSC-Hungary                           Budapest           E&E        166      ISP/VPN\n                    7   Ukraine                               Kiev               E&E        167      ISP/VPN\n                    8   Russia                                Moscow             E&E        171      ISP/VPN\n                    9   Egypt (Pilot)                         Cairo              AFR        178      ISP/VPN\n                   10   Peru (Pilot)                          Lima               LAC        192      ISP/VPN\n                   11   Haiti                                 Port-au-Prince     LAC        209      ISP/VPN\n                   12   West Bank/Gaza                        Tel Aviv           ANE        219      ISP/VPN\n                   13   Morocco                               Rabat              ANE        222      ISP/VPN\n                   14   Dominican Republic                    Santo Domingo      LAC        235      ISP/VPN\n                   15   Jordan                                Amman              ANE        266      ISP/VPN\n                   16   Bolivia                               La Paz             LAC        267      ISP/VPN\n                   17   Philippines                           Manila             ANE        278      ISP/VPN\n                   18   South Africa                          Pretoria           AFR        284      ISP/VPN\n                   19   Senegal                               Dakar              AFR        288      ISP/VPN\n                   20   Nicaragua                             Managua            LAC        297      ISP/VPN\n                   21   India                                 New Delhi          ANE        352      ISP/VPN\n                   22   Montenegro                            Pogdorica          E&E        377      ISP/VPN\n                   23   Kosovo                                Pristina           E&E        390      ISP/VPN\n                   24   Indonesia                             Jakarta            ANE        415      ISP/VPN\n                   25   Pakistan                              Islamabad          ANE        435      ISP/VPN\n                   26   Jamaica                               Kingston           LAC        447       DTSPO\n                   27   Southern Africa Regional (Botswana)   Gaborone           AFR        473      ISP/VPN\n                   28   Nigeria (Pilot)                       Abuja              AFR        546        VSAT\n                   29   Ghana (Pilot)                         Accra              AFR        571        VSAT\n                   30   Kazakhstan                            Almaty             E&E        602      ISP/VPN\n                   31   Uganda                                Kampala            AFR        611        VSAT\n                   32   REDSO/EA Kenya                        Nairobi            AFR        612        VSAT\n                   33   Guinea                                Conakry            AFR        614        VSAT\n                   34   Malawi                                Lilongwe           AFR        633        VSAT\n                   35   Ethiopia                              Addis Ababa        AFR        639        VSAT\n                   36   Zimbabwe                              Harare             AFR        643        VSAT\n                   37   Georgia                               Tblisi             E&E        648        VSAT\n                   38   Nepal                                 Kathmandu          ANE        668        VSAT\n                   39   Madagascar                            Antananarivo       AFR        674      ISP/VPN\n                   40   Mali                                  Bamako             AFR        675        VSAT\n                   41   Mozambique                            Maputo             AFR        683        VSAT\n                   42   Benin                                 Cotonou            AFR        692        VSAT\n                   43   Afghanistan                           Kabul              ANE        697        VSAT\n                   44   Cambodia                              Phnom Penh         ANE        722      ISP/VPN\n                   45   Bangladesh                            Dhaka              ANE        745      ISP/VPN\n\n              31\n                The amounts presented in this table were provided by M/IRM/ENMS and its process for\n              compiling the amounts was audited. The network performance data is comprised of average daily\n              Round Trip Time (RTT) readings in September and October 2004 for DTSPO and VSAT. For\n              ISP/VPN, the RTT readings are the averages of one sample day in October and one sample day in\n              November 2004. RTT rankings are sorted from fasted to slowest interconnectivity.\n\n\n\n\n                                                                                                                 31\n\x0c"